Summary: | net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | major | CC: | chutzpah, dev-zero, graaff, idl0r, kfm, robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [ebuild?] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Orlitzky
2017-09-13 17:12:58 UTC
This bug shows that it is under embargo, but there is no deadline. Please advice on how or when to proceed. We know the specific files we create here, so we can use this instead: chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub} (In reply to Hans de Graaff from comment #1) > This bug shows that it is under embargo, but there is no deadline. Please > advice on how or when to proceed. > > > We know the specific files we create here, so we can use this instead: > > chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub} That "chown" will still follow a symlink, so it's important that every directory involved be owned (and writable only) by root. Is that the case even though /var/lib/munin is the "munin" user's home directory (I haven't checked)? enewuser munin 177 -1 /var/lib/munin munin If it will work, I would suggest instead using "su -s /bin/sh -c ... munin" to perform the key generation *as the munin user* so that you don't have to try to fix things afterwards. (In reply to Hans de Graaff from comment #1) > This bug shows that it is under embargo, but there is no deadline. Please > advice on how or when to proceed. Oh, and there's nothing special about the "embargo" status, I was just asked to keep these sorts of issues private until a fix is available. Another thing to consider is that everyone who ran "emerge --config munin" up until now will still have "munin" owning /var/lib/munin and everything under it. Fixing that is itself a hairy proposition, so if you can use "su" to eliminate the chowns, that's one less thing to think about. Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 Maintainers/mjo, is this now obsolete with the new user/group functionality? No, nothing has changed. (It would also be nice if acct-user/munin followed the devmanual's guidelines for its home directory. Right now the package and the user are pointlessly and dangerously coupled.) |